Authenticating transactions using risk scores derived from detailed device information

ABSTRACT

One embodiment of the invention is directed to a method comprising, receiving an authentication request message for a transaction. The method further comprises determining that detailed device information is required to authenticate the transaction and generating a message including an identifier and a request for the detailed device information. The method further comprises retrieving the detailed device information from a remote server computer using the identifier and modifying the authentication request message to include the detailed device information. The method further comprises sending the modified authentication request message to an access control server computer. The method further comprises receiving an authentication response message from the access control server computer including a verification value for the transaction, where the verification value is generated based on a result of a risk analysis performed using the detailed device information.

CROSS-REFERENCES TO RELATED APPLICATIONS

This application is a non-provisional of and claims the benefit of thefiling date of U.S. Provisional Patent Application No. 62/159,142, filedon May 8, 2015, the disclosure of which is herein incorporated byreference in its entirety for all purposes.

BACKGROUND

Currently users can engage in e-commerce transactions purchasing andordering a variety of goods from online merchants utilizing web browsersfrom the ease of their home. The access to a new commerce channel formerchants and consumers alike has resulted in a number of benefitsincluding better service and increased revenue. However, onlinemerchants and consumers must engage in secure transactions to avoidsensitive information from being obtained (such as account numbers,personal information, or information identifying items purchased).Current methods to ensure security and efficiency include the use ofsecure communication channels from which two entities may providesensitive information. However, the infrastructure, including hardwareand software, required to set up new merchants or involve consumers canbe costly with respect to time and money. Currently, as part of thetransaction process, an authentication must be performed to ensure thatthe transaction is a valid and authentic transaction. This may requiresending challenges to the user attempting to perform the transaction,requiring the user to contact the issuer to confirm a transaction, etc.This has some drawbacks as it may lead to abandonment of otherwise validtransactions when the customer experience is slowed and madeinconvenient by excess challenges for valid transactions.

Embodiments of the invention address these and other problems,individually and collectively.

BRIEF SUMMARY

Embodiments of the invention are directed to systems and methods relatedto authenticating transactions using detailed portable deviceinformation to generate risk scores.

In current solutions, a secure authentication process may be performedfor a transaction that generates risk scores based on transaction dataand device data. However, secure authentication processes also have somedrawbacks. One drawback is that in order for a transaction to beauthenticated using the secure authentication program, the user may berequired to have enrolled in the secure authentication program. Thus, ifa transaction involves a user that is not enrolled in the secureauthentication program, the secure authentication process may not beinvoked.

Thus, there is a need for new and enhanced systems and methods ofprocessing payment transactions that are more efficient and able toprovide secure authentication-type services to all transactions.

One embodiment of the invention is directed to a method comprising,receiving, by a server computer, an authentication request message for atransaction. The method further comprises determining, by the servercomputer, that detailed device information is required to authenticatethe transaction and generating a message including an identifier and arequest for the detailed device information. The method furthercomprises retrieving, by the server computer, the detailed deviceinformation from a remote server computer using the identifier andmodifying the authentication request message to include the detaileddevice information. The method further comprises sending, by the servercomputer, the modified authentication request message to an accesscontrol server computer. The method further comprises receiving, by theserver computer, an authentication response message from the accesscontrol server computer including a verification value for thetransaction, where the verification value is generated based on a resultof a risk analysis performed using the detailed device information.

In some embodiments, the transaction includes utilizing a portabledevice. In embodiments, the portable device is configured to utilize amerchant mobile application and a processing network computerapplication.

In some embodiments, the authentication request message is provided bythe processing network computer application of the portable device tothe server computer. In embodiments, the transaction is initiatedutilizing the merchant mobile application of the portable consumedevice.

In some embodiments, the message comprises user data, portable devicedata, and transaction data. In embodiments, the user data includes oneor more of name of a user, an address for the user, an email address forthe user, or a phone number for the user. In some embodiments, theportable device data identifies a type of device for the portabledevice, screen resolution for the portable device, and a deviceidentifier for the portable device. In embodiments, the transaction dataidentifies item details included in the transaction, payment devicedata, and a payment account number of a user associated with thetransaction.

In some embodiments, the remote server computer identifies the detaileddevice information to provide to the server computer based at least inpart on a set of rules. The rules identify privacy requirements for thetransaction that limits the detailed device information provided to theserver computer.

In some embodiments, the method further comprises receiving, by theserver computer, the authentication response message from the accesscontrol server computer absent the verification value for thetransaction based at least in part on the risk analysis performed by theaccess control server utilizing the detailed device information. In someembodiments, a decline message is provided to a resource providercomputer that indicates that the transaction is denied in response tothe absence of the verification value for the transaction.

Embodiments of the invention are further directed to a server computercomprising a processor and memory. The memory can include instructionsthat, when executed with the processor, cause the server computer toperform operations for implementing any of the methods described herein.

Embodiments of the invention are further directed to acomputer-implemented method comprising receiving an indication of atransaction initiated with a resource provider application of a portabledevice. The computer-implemented method further comprises generating anauthentication request message for the transaction and providing theauthentication request message to a directory server computer. Thedirectory server computer is configured to determine that detaileddevice information for the portable device is required to authenticatethe transaction. The computer-implemented method further comprisesproviding to a remote server computer the detailed device informationfor the portable device in response to a request from the remote servercomputer. The computer-implemented method further comprises receiving,from the directory server computer, an authentication response messagethat includes a verification value for the transaction. The verificationvalue being generated by an access control server computer based on aresult of a risk analysis performed using the detailed deviceinformation where the access control server computer transmits theverification value to the directory server computer. Thecomputer-implemented method comprises transmitting the authenticationresponse message and the verification value to an authorizing computerto authorize the transaction for a resource provider computer.

These and other embodiments of the invention are described in furtherdetail below.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a block diagram of a transaction processing system forprocessing transactions according to an embodiment of the presentinvention.

FIG. 2 shows a flow diagram depicting processing transactions usingdetailed device information according to an embodiment of the presentinvention.

FIG. 3 shows a flow diagram depicting an alternative method ofprocessing transactions using detailed device information according toan embodiment of the present invention.

FIG. 4 shows a flow diagram depicting an alternative method ofprocessing transactions using detailed device information according toan embodiment of the present invention.

DETAILED DESCRIPTION

Embodiments of the present invention may be directed at authenticatingtransactions using detailed portable device information to generate riskscores.

In some embodiments, detailed portable device information fora portabledevice used in a transaction may be retrieved by a third party computer.The detailed portable device information may be associated with anauthentication request message and used to enhance a risk analysisperformed for the transaction.

In some embodiments, this process may be initiated by a processingnetwork computer SDK that is stored on a memory in the portable device.When the user accesses a merchant application to perform a transaction,the merchant application may first invoke the processing networkcomputer SDK prior to initiating the secure authentication process.

Embodiments of the present invention may be used in transactionprocessing systems or may use data generated during transactionprocessing through a transaction processing system. Such embodiments mayinvolve transactions between users and merchants. The tokenizedtransaction amount may be used by the processing network computer todetermine a transaction fee for processing the transaction on behalf ofthe merchant. Further, embodiments of the invention, as discussedherein, may be described as pertaining to financial transactions andpayment systems. However, embodiments of the invention can also be usedin other systems. For example, a transaction may be authorized forsecure access of data or to a secure area.

Prior to discussing embodiments of the invention, descriptions of someterms may be helpful in understanding embodiments of the invention.

A “portable device” may comprise any suitable electronic device that maybe operated by a user, which may also provide remote communicationcapabilities to a network. A “portable consumer device” may be anexample of a “portable device.” Examples of remote communicationcapabilities include using a mobile phone (wireless) network, wirelessdata network (e.g. 3G, 4G or similar networks), Wi-Fi, Wi-Max, or anyother communication medium that may provide access to a network such asthe Internet or a private network. Examples of portable devices includemobile phones (e.g. cellular phones), PDAs, tablet computers, net books,laptop computers, personal music players, hand-held specialized readers,etc. Further examples of portable devices include wearable devices, suchas smart watches, fitness bands, ankle bracelets, rings, earrings, etc.,as well as automobiles with remote communication capabilities. In someembodiments, a portable device can function as a payment device (e.g., aportable device can store and be able to transmit payment credentialsfor a transaction).

A “payment device” may include any suitable device that may be used toconduct a financial transaction, such as to provide payment credentialsto a merchant. The payment device may be a software object, a hardwareobject, or a physical object. As examples of physical objects, thepayment device may comprise a substrate such as a paper or plastic card,and information that is printed, embossed, encoded, or otherwiseincluded at or near a surface of an object. A hardware object can relateto circuitry (e.g., permanent voltage values), and a software object canrelate to non-permanent data stored on a device. A payment device may beassociated with a value such as a monetary value, a discount, or storecredit, and a payment device may be associated with an entity such as abank, a merchant, a payment processing network, or a person. Suitablepayment devices can be hand-held and compact so that they can fit into auser's wallet and/or pocket (e.g., pocket-sized). Example paymentdevices may include smart cards, magnetic stripe cards, keychain devices(such as the Speedpass™ commercially available from Exxon-Mobil Corp.),etc. Other examples of payment devices include payment cards, smartmedia, transponders, and the like. If the payment device is in the formof a debit, credit, or smartcard, the payment device may also optionallyhave features such as magnetic stripes. Such devices can operate ineither a contact or contactless mode.

An “application” may be computer code or other data stored on a computerreadable medium (e.g., memory element or secure element) that may beexecutable by a processor to complete a task. Examples of an applicationinclude a resource provider application, a merchant application, or aprocessing network computer SDK. An application may include a mobileapplication. An application may be designed to streamline the purchaseand payment process or the process for accessing a secure area or securedata. An application may enable a user to initiate a transaction with aresource provider or merchant and authorize the transaction.

A “user” may include an individual. In some embodiments, a user may beassociated with one or more personal accounts and/or mobile devices. Theuser may also be referred to as a cardholder, account holder, orconsumer in some embodiments.

A “resource provider” may be an entity that can provide a resource suchas goods, services, information, and/or access. Examples of resourceproviders includes merchants, data providers, transit agencies,governmental entities, venue and dwelling operators, etc.

A “merchant” may typically be an entity that engages in transactions andcan sell goods or services, or provide access to goods or services.

An “acquirer” may typically be a business entity (e.g., a commercialbank) that has a business relationship with a particular merchant orother entity. Some entities can perform both issuer and acquirerfunctions. Some embodiments may encompass such single entityissuer-acquirers. An acquirer may operate an acquirer computer, whichcan also be generically referred to as a “transport computer”.

An “authorizing entity” may be an entity that authorizes a request.Examples of an authorizing entity may be an issuer, a governmentalagency, a document repository, an access administrator, etc.

An “issuer” may typically refer to a business entity (e.g., a bank) thatmaintains an account for a user. An issuer may also issue paymentcredentials stored on a user device, such as a cellular telephone, smartcard, tablet, or laptop to the consumer.

An “authorization request message” may be an electronic message thatrequests authorization for a transaction. In some embodiments, it issent to a transaction processing computer and/or an issuer of a paymentcard to request authorization for a transaction. An authorizationrequest message according to some embodiments may comply with ISO 8583,which is a standard for systems that exchange electronic transactioninformation associated with a payment made by a user using a paymentdevice or payment account. The authorization request message may includean issuer account identifier that may be associated with a paymentdevice or payment account. An authorization request message may alsocomprise additional data elements corresponding to “identificationinformation” including, by way of example only: a service code, a CVV(card verification value), a dCVV (dynamic card verification value), aPAN (primary account number or “account number”), a payment token, auser name, an expiration date, etc. An authorization request message mayalso comprise “transaction information,” such as any informationassociated with a current transaction, such as the transaction amount,merchant identifier, merchant location, acquirer bank identificationnumber (BIN), card acceptor ID, information identifying items beingpurchased, etc., as well as any other information that may be utilizedin determining whether to identify and/or authorize a transaction.

An “authorization response message” may be a message that responds to anauthorization request. In some cases, it may be an electronic messagereply to an authorization request message generated by an issuingfinancial institution or a transaction processing computer. Theauthorization response message may include, by way of example only, oneor more of the following status indicators: Approval—transaction wasapproved; Decline—transaction was not approved; or Call Center—responsepending more information, merchant must call the toll-free authorizationphone number. The authorization response message may also include anauthorization code, which may be a code that a credit card issuing bankreturns in response to an authorization request message in an electronicmessage (either directly or through the transaction processing computer)to the merchant's access device (e.g. POS equipment) that indicatesapproval of the transaction. The code may serve as proof ofauthorization.

A “server computer” may include a powerful computer or cluster ofcomputers. For example, the server computer can be a large mainframe, aminicomputer cluster, or a group of servers functioning as a unit. Inone example, the server computer may be a database server coupled to aWeb server. The server computer may comprise one or more computationalapparatuses and may use any of a variety of computing structures,arrangements, and compilations for servicing the requests from one ormore client computers.

A “payment processing network” (e.g., VisaNet™) may include dataprocessing subsystems, networks, and operations used to support anddeliver authorization services, exception file services, and clearingand settlement services. An exemplary payment processing network mayinclude VisaNet™. Payment processing networks such as VisaNet™ are ableto process credit card transactions, debit card transactions, and othertypes of commercial transactions. VisaNet™ in particular, includes a VIPsystem (Visa Integrated Payments System) which processes authorizationrequests and a Base II system which performs clearing and settlementservices. A payment processing network may be referred to as aprocessing network computer.

“Item details” may include information suitable for a transaction thatinvolves an item or service. Examples of item details include priceinformation, quantity information, a merchant identifier, or geographiclocation information.

I. Systems

FIG. 1 shows a block diagram of a transaction processing system forprocessing transactions according to an embodiment of the presentinvention. The system 100 includes a portable device 101, a resourceprovider computer 110, a transport computer 115, a processing networkcomputer 120, an authorizing computer 140, a directory server computer150, an external server computer 160, and an access control servercomputer 170. Each of these systems and computers may be in operativecommunication with each other. In some embodiments, the portable device101 may be operated by a user 102.

Each of these systems and computers may be in operative communicationwith each other. For simplicity of illustration, a certain number ofcomponents are shown in FIG. 1 . It is understood, however, thatembodiments of the invention may include more than one of eachcomponent. In addition, some embodiments of the invention may includefewer than or greater than all of the components shown in FIG. 1 . Inaddition, the components in FIG. 1 may communicate via any suitablecommunication medium (including the Internet), using any suitablecommunications protocol.

The portable device 101 may be in any suitable form. For example,suitable user portable devices 101 may be hand-held and compact so thatthey can fit into a user's pocket. Examples of portable devices 101 mayinclude any device capable of accessing the Internet. Specific examplesof portable devices 101 include cellular or wireless phones (e.g.,smartphones), tablet phones, tablet computers, laptop computers, desktopcomputers, personal digital assistants (PDAs), pagers, portablecomputers, smart cards, and the like. Additional portable devices 101may also include wearable devices, such as smart watches, fitness bands,ankle bracelets, rings, earrings, etc.

The portable device 101 may include a processor, memory, input/outputdevices, and a computer readable medium coupled to the processor. Thecomputer readable medium may comprise code, executable by the processorfor performing the functionality described below. In some embodiments,the portable device 101 may include a browser and/or applications (e.g.,mobile applications, computer programs) stored in the memory andconfigured to retrieve, present, and send data across a communicationsnetwork (e.g., the Internet).

In some embodiments, the portable device 101 may include at least amerchant application 101A, a processing network computer SDK (“PN SDK”)101B, and an authentication SDK (“Auth SDK”) 101C, which may be storedin the memory of the portable device 101.

The resource provider computer 110 may be comprised of various modulesthat may be embodied by computer code, residing on computer readablemedia. The resource provider computer 110 may include a processor and acomputer readable medium coupled to the processor, the computer readablemedium comprising code, executable by the processor for performing thefunctionality described below. The resource provider computer 110 may bein any suitable form. Examples of the resource provider computer 100 mayinclude a web server computer hosting a merchant Internet website oraccessible by a merchant application 101A stored on the portable device101. Additional examples of resource provider computers include anydevice capable of accessing the Internet, such as a personal computer,cellular or wireless phones, personal digital assistants (PDAs), tabletcomputers, and handheld specialized readers.

The transport computer 115 is typically a system associated with anentity (e.g., a bank) that has a business relationship with a particularmerchant or other entity. The transport computer 115 may include aprocessor and a computer readable medium coupled to the processor, thecomputer readable medium comprising code, executable by the processorfor performing the functionality described below. The transport computer115 may be configured to route transaction authorization messagesbetween the resource provider computer 110 and the processing networkcomputer 120.

The processing network computer 120 may be a payment processing networkcomputer, and may comprise a server computer 120A. The server computer120A may include a processor and a computer readable medium coupled tothe processor, the computer readable medium comprising code, executableby the processor. In some embodiments, the server computer 120A may becoupled to a database and may include any hardware, software, otherlogic, or combination of the preceding for servicing the requests fromone or more client computers.

The processing network computer 120 may include data processingsubsystems, networks, and operations used to support and deliverauthorization services, exception file services, and clearing andsettlement services. An exemplary processing network computer 120 mayinclude VisaNet™. Networks that include VisaNet™ are able to processcredit card transactions, debit card transactions, and other types ofcommercial transactions. VisaNet™, in particular, includes an integratedpayments system that processes authorization requests and a Base IIsystem that performs clearing and settlement services. The processingnetwork computer 120 may use any suitable wired or wireless network,including the Internet.

An authorizing computer 140 is typically associated with a businessentity (e.g., a bank). The authorizing computer 140 may comprise aserver computer 140A. The server computer 140A may include a processorand a computer readable medium coupled to the processor, the computerreadable medium comprising code, executable by the processor. In someembodiments, the authorizing computer 140 may communicate with theprocessing network computer 120 to provide authentication processes andaccount information associated with an account of the user 102. Theauthorizing computer 140 may maintain financial accounts for the user102, and can issue payment devices, such as a credit or debit card tothe user 102.

The directory server computer 150 may be a server computer configured toroute messages from the portable device 101 and/or the resource providercomputer 110 to the access control server computer 170, as well asmessages from the access control server 170 to the portable device 101and/or the resource provider computer 110. In some embodiments, thedirectory server computer 150 may be operated by the processing networkcomputer 120. In some embodiments, the directory server computer 150 mayinclude any hardware, software, other logic, or combination of thepreceding for servicing the requests from one or more client computers.

In some embodiments, the directory server computer 150 may be coupled toone or more databases, such as a rules database 150A and a user database150B. In some embodiments, the rule database 150A may store rulesrelated to authentication and device data that may be retrieved toperform authentication (e.g., privacy data or restrictions). Forexample, the rule database 150A may store restrictions on the collectionof user and portable device data based on country. In some embodiments,the user database 150B may store data associated with a user 102,including account data (e.g., account numbers) and user personal data(e.g., name, address, phone number, email address). In some embodiments,the user database 1508 may be accessed with a user's email address orphone number to retrieve one or more account numbers associated with theuser.

The access control server 170 may comprise a server computer that may beconfigured to conduct authentication and authorization processes. Theaccess control server 170 may be associated with an issuer, which can beany bank that issues and maintains a financial account for a cardholder.The access control server 170 may validate (or authenticate) passwords,PIN numbers or challenge responses associated with the user, and anaccount associated with the user. The access control server 170 may usethe PAN, computing device data, payment device data, geolocation data,consumer data, transaction data, account data, or other comparable data,in order to authenticate the user and PAN. In some embodiments, at thetime of a transaction, the access control server 170 may further performuser authentication, and may provide digitally signed responses,including a CAVV, to the merchant application 101 stored on the portabledevice 101 through the directory server computer 150. In otherembodiments, the access control server 170 may send responses backdirectly to the portable device 101. In some embodiments, the functionsof the access control server computer 170 may be performed by theprocessing network computer 120.

Some embodiments may also include the external server computer 160. Theexternal server computer 160 may include a processor and a computerreadable medium coupled to the processor, the computer readable mediumcomprising code, executable by the processor. In some embodiments, theexternal server computer 160 may include any hardware, software, otherlogic, or combination of the preceding for servicing the requests fromone or more client computers. In some embodiments, the external servercomputer 160 may be configured to retrieve device data from the portabledevice 101. In such embodiments, the retrieved device data may then beassociated with a transaction as part of a risk analysis.

In embodiments of the present invention, a server computer can be apowerful computer or a cluster of computers. For example, the servercomputer can be a large mainframe, a minicomputer cluster, or a group ofservers functioning as a unit. In one example, the server computer maybe a database server coupled to a Web server. The components 101, 110,115, 120, 140, 150, 160, and 170 may all be in operative communicationwith each other through any suitable communication channel orcommunications network. Suitable communications networks may be any oneand/or the combination of the following: a direct interconnection; theInternet; a Local Area Network (LAN); a Metropolitan Area Network (MAN);and Operating Missions as Nodes on the Internet (OMNI); a securedcustomer connection; a Wide Area Network (WAN); a wireless network(e.g., employing protocols such as, but not limited to a WirelessApplication Protocol (WAP), I-mode, and/or the like); and/or the like.

Messages between the computers, networks, and devices may be transmittedusing secure communications protocols such as, but not limited to, FileTransfer Protocol (FTP); HyperText Transfer Protocol (HTTP); SecureHypertext Transfer Protocol (HTTPS); Secure Socket Layer (SSL); ISO(e.g., ISO 8583) and/or the like.

The resource provider computer 110 may be associated with a resourceprovider. The resource provider may engage in transactions, sell goodsor services, or provide access to goods, services, data, or events to auser. The resource provider computer 110 may provide access to servicesuch as cash deposit/withdrawal, secure access, secure data access, etc.The resource provider may accept multiple forms of payment (e.g., theportable device 101) and may use multiple tools to conduct differenttypes of transactions. The resource provider may also sell goods and/orservices via a website or an application and may accept payments overthe internet. The processing network computer 120 may be disposedbetween the transport computer 115 and authorizing computer 140.

The processing network computer 120 may include data processingsubsystems, networks, and operations used to support and deliverauthorization services, exception file services, and clearing andsettlement services. For example, the processing network computer 120may comprise a server coupled to a network interface (e.g., by anexternal communication interface), and databases of information. Theprocessing network computer 120 may be representative of a transactionprocessing network. An exemplary transaction processing network mayinclude VisaNet™. Transaction processing network such as VisaNet™ areable to process credit card transactions, debit card transactions, andother types of commercial transactions. VisaNet™, in particular,includes a VIP system (Visa Integrated Payments System) which processesauthorization requests and a Base II system which performs clearing andsettlement services. The processing network computer 120 may use anysuitable wired or wireless network, including the Internet.

The authorizing computer 140 may issue and manage a payment account andan associated payment device such as portable device 101. Theauthorizing computer 140 may be able to authorize transactions thatinvolve the payment account. Before authorizing a transaction, theauthorizing computer 140 may authenticate payment credentials receivedin the authorization request and check that there is available credit orfunds in an associated payment account. If the authorizing computer 140receives an authorization request that includes a payment token, theauthorizing computer 140 may be able to de-tokenize the payment token inorder to obtain the associated payment credentials.

II. Methods

A. Authentication Using a Secure Authentication Process

FIG. 2 shows a flow diagram depicting processing transactions usingdetailed device information according to an embodiment of the presentinvention. Additional methods and processes may be included within thesemethods and may be recognized by one of ordinary skill in the art, inlight of the description below. Further, in some embodiments of thepresent invention, the described methods may be combined, mixed, andmatched, as one of ordinary skill would recognize. In the embodimentdescribed below, the authentication request message may beauthentication for a payment transaction. In other embodiments, amongother examples, the authentication request message may be a request toauthenticate a user or authorize an access transaction.

At step 201, the user 102 performs a payment transaction with a merchantassociated with a resource provider computer 110. In some embodiment,the user 102 may perform the payment transaction using a portable device101. In some embodiments, the user 102 may access a merchant mobileapplication 101A stored on the portable device 101 in order to initiatethe payment transaction. The merchant mobile application 101A may beassociated with the merchant operating the resource provider computer110. When the user 102 has selected goods or services via the mobileapplication, the user 102 may proceed to a checkout process for thetransaction. For example, the user 102 may select a “Buy” or “Checkout”option presented on a display of the portable device 101. In otherembodiments, the user 102 may swipe or pass the portable device 101 by amerchant access device to initiate the payment transaction.

At step 202, as part of initiating the payment transaction, the merchantapplication 101A may invoke or access a processing network computer SDK(“PN SDK”) 101B. The PN SDK 101B may generate and send a transactionmessage. The transaction message may include user data, portable devicedata, and transaction data. The transaction message may be sent to adirectory server computer 150. The directory server computer 150 mayevaluate the transaction message to determine whether portable deviceinformation is required for the payment transaction. In someembodiments, the directory server computer 150 may access a rulesdatabase 150A to determine privacy requirements that may exist for thepayment transaction. For example, country A may allow the retrieval ofthe IP address of the portable device 101, while country B may not allowthe retrieval of the IP address of the portable device 101.

The data sent in the transaction message may include user computingdevice data (e.g., device type, screen resolution, device identifier),user data (e.g., user name, user address data, user email address, userphone number), and transaction data (e.g., shopping cart data, paymentdevice data, payment account number), and/or other comparable data.

In some embodiments, the directory server computer 150 may generate amessage indicating whether an external server computer 160 should beaccessed by the PN SDK in order to retrieve additional portable deviceinformation from the portable device. In such embodiments, directoryserver computer 150 may generate a session identifier (e.g., atransaction identifier), which may be sent in the message and stored bythe directory server computer 150. In embodiments, the sessionidentifier may include an alpha numeric string that is unique to thetransaction or identification purposes. The session identifier mayinclude a time stamp that corresponds to the transaction or any othersuitable information that can be utilized to uniquely identify thetransaction (such as a numeric value or code). In some embodiments, themessage may also include the privacy requirements for the transactionretrieved from the rules database 150A.

At step 203, the PN SDK 101B may access the external server computer 160to allow the external server computer 160 to access and retrievedetailed portable device information from the portable device 101. Insuch embodiments, the PN SDK 101B may transmit the session identifiergenerated by the directory server computer 150 to the external servercomputer 160. In some embodiments, the privacy requirements for thetransaction retrieved from the rules database 150A may limit theportable device information that may be retrieved by the external servercomputer 160. The external server computer 160 may store the detailedportable device information and associate the data with the sessionidentifier.

The detailed portable device information may include operating systemdata, browser data, mobile application data, geo-location data (IPaddress, country based on IP location), language data, JavaScript®options, Flash options, cookies options, etc.

At step 204, the directory server computer 150 may access the externalserver computer 160 using the session identifier. The directory servercomputer 150 may provide the session identifier to the external servercomputer 160. The external server computer 160 may retrieve the detailedportable device information associated with the session identifier andtransmit the detailed portable device information to the directoryserver computer 150. In some embodiments, the external server computer160 may send only the data authorized based on the privacy requirementsfor the transaction and retain any additional data. In otherembodiments, the external server computer 160 may only have retrievedthe detailed portable device information that is allowed based on theprivacy requirements for the transaction.

At step 205, an authentication request message (“AReq”) is transmittedby the merchant application 101A on the portable device 101 to theresource provider computer 110 as part of a secure authenticationprocess. In embodiments, the merchant application 101A may be an exampleof a resource provider application and/or application that is utilizedto streamline a transaction process. The authentication request messagemay request an authentication process be performed for a user, a usercomputing device, or a payment device.

At step 206, the resource provider computer 110 may send theauthentication request message to the directory server computer 150. Thedirectory server computer 150 may use the PAN, transaction date,transaction amount, IP address of the portable device 101, or othertransaction-related data in the authentication request message to matchthe authentication request message to the data sent to the directoryserver computer 150 by the PN SDK 101B (in step 202 above).

In some embodiments, the directory server computer 150 may modify theauthentication request message to include the detailed portable deviceinformation retrieved from the external server computer 160. In someembodiments, the directory server computer 150 may append the detailedportable device information to the authentication request message in amessage extension.

The directory server computer 150 may then route the modifiedauthentication request message to an appropriate access control servercomputer 170 associated with the transaction based on payment data(e.g., an account number). For example, the directory server computer106 may evaluate the data in the authentication request message andsearch for an account range that includes a bank identification number(“BIN”) or personal account number (“PAN”) received in theauthentication request message.

At step 207, the access control server computer 170 may use the data inthe authentication request message and the detailed portable deviceinformation from the external server computer 160 to perform a riskanalysis for the transaction. The access control server computer 170 maythen generate an authentication response message indicating the resultof the risk analysis. For example, when the risk analysis indicates thatthere is a low risk, the access control server computer 170 may generatea card authentication verification value (“CAVV”) that may be used in anauthorization process for the transaction. The CAVV may be included inthe authentication response message.

In some embodiments, when the risk analysis indicates that there is ahigh risk, the access control server computer 170 may not generate theCAVV and may generate a message indicating that the transaction has notbeen authenticated and should be declined and/or terminated. Theauthentication response message may then be sent back to the resourceprovider computer 110 via the directory server computer 150.

At step 208, based on the decision provided in the authenticationresponse message received from the access control server computer 170,the resource provider computer 110 may indicate that the authenticationprocessing has been completed (either successfully or unsuccessfully).Based on the result of the authentication process, the resource providercomputer 110 may proceed to the authorization process for thetransaction, or may end the transaction.

At step 209, the authorization process is initiated by sending anauthorization request message to the resource provider computer 110 fromthe merchant application 101A. The authorization request message mayinclude the CAVV generated by the access control server computer 170 forthe transaction. In some embodiments, the resource provider computer 110may include the session identifier in the authorization request messageto enable matching to the detailed portable device information. In otherembodiments, the detailed portable device information may be sent withthe authorization request message.

The authorization request message may be sent to an authorizing computer140 through an transport computer 115 associated with the merchant, andthrough the processing network computer 120. Once the transaction hasbeen authorized by the authorizing computer 140, the resource providercomputer 110 may finalize the transaction by providing goods or servicesto the user.

At a later time, a clearing and settlement process for the transactionmay be conducted. The clearing and settlement process may include aprocess of reconciling the transaction. A clearing process is a processof exchanging financial details between the authorizing computer 140 andthe transport computer 115 to facilitate posting to an account andreconciliation of the user's settlement position. Settlement involvesthe delivery of securities from one account (e.g., a user account at anissuing bank) to another account (e.g., a merchant account at anacquiring bank). In some embodiments, clearing and settlement can occursimultaneously. In some embodiments, the settlement process can beconducted using standard financial transaction messaging formats.

In some embodiments, the clearing and settlement process may beperformed once the transaction has been completed, or may be sent in abatch by the resource provider computer 110 at the end of the businessday or at designated times.

B. Authentication Using a Lite Secure Authentication Process

FIG. 3 shows a flow diagram depicting an alternative method ofprocessing transactions using detailed device information according toan embodiment of the present invention. In the embodiment depicted inFIG. 3 , the authentication process may be performed without sending anauthentication request message through the merchant.

As depicted in FIG. 3 , steps 301-304 proceed as described above withrespect to steps 201-204 of FIG. 2 .

In step 305, the directory server computer 150 may send theauthentication request message to the access control server computer170. In some embodiments, the directory server computer 150 may modifythe authentication request message to include the detailed portabledevice information retrieved from the external server computer 160. Insome embodiments, the directory server computer 150 may append thedetailed portable device information to the authentication requestmessage in a message extension.

In step 306, the access control server computer 170 may use the data inthe authentication request message and the detailed portable deviceinformation from the external server computer 160 to perform a riskanalysis for the transaction. The access control server computer 170 maythen generate an authentication response message indicating the resultof the risk analysis. For example, when the risk analysis indicates thatthere is a low risk, the access control server computer 170 may generatea card authentication verification value (“CAVV”) that may be used in anauthorization process for the transaction. The CAVV may be included inthe authentication response message.

In some embodiments, when the risk analysis indicates that there is ahigh risk, the access control server computer 170 may not generate theCAVV and may generate a message indicating that the transaction has notbeen authenticated and should be declined and/or terminated. Theauthentication response message may then be sent back to the directoryserver computer 150.

In step 307, the directory server computer may send the authenticationresponse message back to the PN SDK 101B, which may then provide theresult of the authentication process, including the generated CAVV tothe merchant application 101A.

In step 308, the authorization process is initiated by sending anauthorization request message to the resource provider computer from themerchant application 101A. The authorization request message may includethe CAVV generated by the access control server computer 170 for thetransaction. In some embodiments, the resource provider computer 110 mayinclude the session identifier in the authorization request message toenable matching to the detailed portable device information. In otherembodiments, the detailed portable device information may be sent withthe authorization request message.

The authorization request message may be sent to an authorizing computer140 through an transport computer 115 associated with the merchant, andthrough the processing network computer 120. Once the transaction hasbeen authorized by the authorizing computer 140, the resource providercomputer 110 may finalize the transaction by providing goods or servicesto the user.

At a later time, a clearing and settlement process for the transactionmay be conducted. The clearing and settlement process may include aprocess of reconciling the transaction. A clearing process is a processof exchanging financial details between the authorizing computer 140 andthe transport computer 115 to facilitate posting to an account andreconciliation of the user's settlement position. Settlement involvesthe delivery of securities from one account (e.g., a user account at anissuing bank) to another account (e.g., a merchant account at anacquiring bank). In some embodiments, clearing and settlement can occursimultaneously. In some embodiments, the settlement process can beconducted using standard financial transaction messaging formats.

In some embodiments, the clearing and settlement process may beperformed once the transaction has been completed, or may be sent in abatch by the resource provider computer 110 at the end of the businessday or at designated times.

C. Authentication Using an Alias

FIG. 4 shows a flow diagram depicting an alternative method ofprocessing transactions using detailed device information according toan embodiment of the present invention. In the embodiment depicted inFIG. 4 , the authentication process may be performed without sending anauthentication request message through the merchant using a secureauthentication process. In this embodiment, the authentication requestmessage may include a user phone number, email address or othernon-payment account data in place of the user's account number.

At step 401, the user 102 performs a payment transaction with a merchantassociated with a resource provider computer 110. In some embodiment,the user 102 may perform the payment transaction using a portable device101. In some embodiments, the user 102 may access a merchant mobileapplication 101A stored on the portable device 101 in order to initiatethe payment transaction. The merchant mobile application 101A may beassociated with the merchant operating the resource provider computer110. When the user 102 has selected goods or services via the mobileapplication, the user 102 may proceed to a checkout process for thetransaction. For example, the user 102 may select a “Buy” or “Checkout”option presented on a display of the portable device 101. The user mayprovide their phone number, email address, or other unique identifier tothe merchant as part of the transaction process.

At step 402, as part of initiating the payment transaction, the merchantapplication 101A may invoke or access a processing network computer SDK(“PN SDK”) 101B. The PN SDK 101B may generate and send a transactionmessage. The transaction message may include user data, portable devicedata, and transaction data. The transaction message may be sent to adirectory server computer 150. The directory server computer 150 mayevaluate the transaction message to determine whether portable deviceinformation is required for the payment transaction. In someembodiments, the directory server computer 150 may access a rulesdatabase 150A to determine privacy requirements that may exist for thepayment transaction.

In some embodiments, the directory server computer 150 may access a userdatabase 150B to determine account data for the user. For example, thedirectory server computer 150 may query the user database 150B with theuser email address and/or phone number provided in the authenticationrequest message. The user email address and/or phone number may beassociated with a user profile stored in the user database 150B. Theuser profile may include account data (e.g., account number, expirationdate, transaction limits) associated with an account of the user. Insuch embodiments, the account number for the account may be retrievedand used to modify the authentication request message. In someembodiments, the user email address or phone number may be replaced withthe account number. In other embodiments, the account number may beappended to the authentication request message or inserted into a fieldwithin the authentication request message.

In some embodiments, when the email address or phone number do not matcha user profile stored in the user database 150B, the authenticationrequest may be declined.

The data sent in the transaction message may include user computingdevice data (e.g., device type, screen resolution, device identifier),user data (e.g., user name, user address data, user email address, userphone number), and transaction data (e.g., shopping cart data, paymentdevice data, payment account number), and/or other comparable data.

In some embodiments, the directory server computer 150 may generate amessage indicating whether an external server computer 160 should beaccessed by the PN SDK in order to retrieve additional portable deviceinformation from the portable device. In such embodiments, directoryserver computer 150 may generate a session identifier (e.g., atransaction identifier), which may be sent in the message and stored bythe directory server computer 150. In some embodiments, the message mayalso include the privacy requirements for the transaction retrieved fromthe rules database 150A.

At step 403, the PN SDK 101B may access the external server computer 160to allow the external server computer 160 to access and retrievedetailed portable device information from the portable device 101. Insuch embodiments, the PN SDK 101B may transmit the session identifiergenerated by the directory server computer 150 to the external servercomputer 160. In some embodiments, the privacy requirements for thetransaction retrieved from the rules database 150A may limit theportable device information that may be retrieved by the external servercomputer 160. The external server computer 160 may store the detailedportable device information and associate the data with the sessionidentifier.

The detailed portable device information may include operating systemdata, browser data, mobile application data, geo-location data (IPaddress, country based on IP location), language data, JavaScript®options, Flash options, cookies options, etc.

At step 404, the directory server computer 150 may access the externalserver computer 160 using the session identifier. The directory servercomputer 150 may provide the session identifier to the external servercomputer 160. The external server computer 160 may retrieve the detailedportable device information associated with the session identifier andtransmit the detailed portable device information to the directoryserver computer 150. In some embodiments, the external server computer160 may send only the data authorized based on the privacy requirementsfor the transaction and retain any additional data. In otherembodiments, the external server computer 160 may only have retrievedthe detailed portable device information that is allowed based on theprivacy requirements for the transaction.

As depicted in FIG. 4 , steps 405-408 proceed as described above withrespect to steps 305-308 of FIG. 3 .

III. Additional Embodiments

In some embodiments, advice messages may be generated and sent betweenthe merchant application 101A and the PN SDK 101B. In such embodiments,the advice messages may contain information reasons for rejection (e.g.,merchants rejected ordered based on negative files, user order history,website behavior), results of the merchant's review of suspicious orders(e.g., customer communication, email validation, reverse telephonelookup results, credit history check, delivery address vs. billingaddress), and information regarding non-reported fraud associated withthe user that may have been settled.

In some embodiments, advice messages may be generated and sent betweenthe directory server computer 150 and the merchant application 101A. Insuch embodiments, the advice messages may include risk scores and thedetailed portable device information.

In some embodiments, advice messages may be generated and sent betweenthe access control server computer 170 and the merchant application101A, including risk scores. In such embodiments, the advice messagesmay be passed to the directory server computer 150 and then to the PNSDK 101B to provide to the merchant application 101A. For example, thismay occur during step 306 and 307 in FIG. 3 .

In some embodiments, value-added services may be provided to the userprior to the completion of the transaction. For example, an offer may begenerated for the transaction prior to the transaction being completed,such as “Get $20 off if you add another pair of jeans to the shoppingcart.” In addition, risk scores may be provided to the merchants, users,and issuers.

The various participants and elements described herein may operate oneor more computer apparatuses to facilitate the functions describedherein. Any of the elements in the above-described FIGS. 1-4 , includingany servers or databases, may use any suitable number of subsystems tofacilitate the functions described herein.

As described herein, a computer system may be used to implement any ofthe entities or components described above. The subsystems of a computersystem may be interconnected via a system bus. Additional subsystemssuch as a printer, keyboard, fixed disk (or other memory comprisingcomputer readable media), monitor, which is coupled to display adapter,and others are also included in embodiments described herein.Peripherals and input/output (I/O) devices, which may be coupled to anI/O controller (which can be a processor or other suitable controller),can be connected to the computer system by any number of means known inthe art, such as a serial port. For example, a serial port or externalinterface can be used to connect the computer apparatus to a wide areanetwork such as the Internet, a mouse input device, or a scanner. Theinterconnection via system bus allows the central processor tocommunicate with each subsystem and to control the execution ofinstructions from system memory or the fixed disk, as well as theexchange of information between subsystems. The system memory and/or thefixed disk of the computer system may embody a computer readable medium.In some embodiments, the monitor may be a touch sensitive displayscreen.

A computer system can include a plurality of the same components orsubsystems, e.g., connected together by an external interface or by aninternal interface. In some embodiments, computer systems, subsystem, orapparatuses can communicate over a network. In such instances, onecomputer can be considered a client and another computer a server, whereeach can be part of a same computer system. A client and a server caneach include multiple systems, subsystems, or components.

It should be understood that any of the embodiments of the presentinvention can be implemented in the form of control logic using hardware(e.g. an application specific integrated circuit or field programmablegate array) and/or using computer software with a generally programmableprocessor in a modular or integrated manner. As used herein, a processorincludes a single-core processor, multi-core processor on a sameintegrated chip, or multiple processing units on a single circuit boardor networked. Based on the disclosure and teachings provided herein, aperson of ordinary skill in the art will know and appreciate other waysand/or methods to implement embodiments of the present invention usinghardware and a combination of hardware and software.

Embodiments of the invention have a number of advantages. For example,embodiments of the invention allow for increased security for both usersand merchants by calculating risk scores that utilize detailed deviceinformation for use in authenticating a transaction. The user can engagein transactions without having to provide a large amount of input forauthorization as the mobile application of the portable devicecommunicate with other entities to request and obtain the detaileddevice information. Implementation costs are also reduced as embodimentsof the invention can leverage existing communication channels to requestand obtain the detailed device information for calculating a risk scorein the authentication process. Further, embodiments of the inventionenable authentication transactions to adhere to various privacyrequirements or concerns on a global scale as the authentication processdescribed herein includes communicating with a rule set or rulesdatabase to adhere to privacy requirements regarding detailed deviceinformation.

Any of the software components or functions described in thisapplication, may be implemented as software code to be executed by aprocessor using any suitable computer language such as, for example,Java, C++ or Perl using, for example, conventional or object-orientedtechniques. The software code may be stored as a series of instructions,or commands on a computer readable medium, such as a random accessmemory (RAM), a read only memory (ROM), a magnetic medium such as ahard-drive or a floppy disk, or an optical medium such as a CD-ROM. Anysuch computer readable medium may reside on or within a singlecomputational apparatus, and may be present on or within differentcomputational apparatuses within a system or network.

The above description is illustrative and is not restrictive. Manyvariations of the invention may become apparent to those skilled in theart upon review of the disclosure. The scope of the invention can,therefore, be determined not with reference to the above description,but instead can be determined with reference to the pending claims alongwith their full scope or equivalents.

One or more features from any embodiment may be combined with one ormore features of any other embodiment without departing from the scopeof the invention.

A recitation of “a”, “an” or “the” is intended to mean “one or more”unless specifically indicated to the contrary.

All patents, patent applications, publications, and descriptionsmentioned above are herein incorporated by reference in their entiretyfor all purposes. None is admitted to be prior art.

1.-20. (canceled)
 21. A method comprising: generating, by a servercomputer, a message including an identifier and a request for detaileddevice information; retrieving, by the server computer, the detaileddevice information from an external server computer using theidentifier; receiving, by the server computer, an authentication requestmessage in an authentication process for a transaction; and determining,by the server computer, that the detailed device information is requiredto authenticate the transaction, wherein an authentication result isdetermined using at least the detailed device information.
 22. Themethod of claim 21, further comprising: transmitting, by the servercomputer, an authentication response message indicating theauthentication result.
 23. The method of claim 21, further comprising:receiving, by the external server computer, the detailed deviceinformation prior to generating the message including the identifier andthe request for the detailed device information.
 24. The method of claim23, wherein the detailed device information comprises a deviceidentifier of a portable device that is used in the authenticationprocess.
 25. The method of claim 21, wherein the authentication requestmessage is received from a portable device operated by a user conductingthe transaction with a merchant.
 26. The method of claim 25, wherein theportable device is a mobile phone.
 27. The method of claim 21, whereinthe detailed device information is used to perform a risk analysis ofthe transaction.
 28. The method of claim 27, wherein an access controlserver in communication with the server computer performs the riskanalysis.
 29. The method of claim 21, wherein the authentication requestmessage is received from an authentication application portable deviceoperated by a user conducting the transaction with a merchant.
 30. Themethod of claim 21, wherein the identifier is a session identifier forthe transaction.
 31. The method of claim 21, wherein the server computeris a group of servers functioning as a unit.
 32. The method of claim 21,wherein the server computer is a directory server computer.
 33. A servercomputer comprising: a processor; and a computer readable mediumcomprising code, executable by the processor, for performing operationscomprising: generating a message including an identifier and a requestfor detailed device information; retrieving the detailed deviceinformation from an external server computer using the identifier;receiving an authentication request message in an authentication processfor a transaction; and determining that the detailed device informationis required to authenticate the transaction, wherein an authenticationresult is determined using at least the detailed device information. 34.The server computer of claim 33, wherein the operations furthercomprise: transmitting, by the server computer, an authenticationresponse message indicating the authentication result.
 35. The servercomputer of claim 33, wherein the operations further comprise:receiving, by the external server computer, the detailed deviceinformation prior to generating the message including the identifier andthe request for the detailed device information.
 36. A systemcomprising: a server computer comprising a processor, and a computerreadable medium comprising code, executable by the processor, forperforming operations comprising generating a message including anidentifier and a request for detailed device information, retrieving thedetailed device information from an external server computer using theidentifier, receiving an authentication request message in anauthentication process for a transaction, and determining that thedetailed device information is required to authenticate the transaction,wherein an authentication result is determined using at least thedetailed device information; and the external server computer.
 37. Thesystem of claim 36, wherein the operations further comprise:transmitting, by the server computer, an authentication response messageindicating the authentication result.
 38. The system of claim 36,wherein the authentication request message is received from anauthentication application on a portable device operated by a userconducting the transaction with a merchant.
 39. The system of claim 38,further comprising the portable device.
 40. The system of claim 39,wherein the portable device is a phone.